California Ransomware Law Approved by State Senate Commission

Bob Hertzberg, Californian Senator, introduced a new proposal (Senate Proposal 1137) in February that suggests a modification to the punitive policy in California in order to make it an offense to intentionally fix ransomware on a CPU.

The proposal has now been approved by the Senate’s Commission on Public Security, getting it a stage nearer to being presented to the state parliament. The proposal should now be presented to Senate Appropriations Committee of the state; following which both houses will consider it.

Presently, Californian state rule covers offenses pertaining to computer facilities comprising “intentionally introducing a computer virus,” and blackmail, the latter is described as “getting the possessions of another, with her or his approval, prompted by an illegal usage of fear or force.” According to current rules, coercion is indictable with a jail term of 2, 3, or even 4 years.

Ransomware is included under existing laws, even though Senator Hertzberg thought an update was essential given the level to which ransomware is currently used to extract money from companies. FBI figures indicate that in the 1st quarter of 2016, the amount extracted from U.S businesses was $209 million. For 2015 the total was mere $25 million.

Senator Hertzberg expects to present new fines, especially for these ransomware assaults. People carrying out attacks might be penalized up to $10,000 as well as being punished to 2, 3, or even 4 years in prison, even though indicting lawyers might also pursue further charges according to current state rules. Further penal indictments might additionally be incurred based on the level of fiscal damage caused to the business in a request.

The latest proposal would make it a crime to intentionally create ransomware, through directly putting a lock on a computer system or files, or ordering another person to do this.

The latest bill utilizes the following meaning of ransomware:

The latest Bill might bring in new fines for the criminals of these assaults, even though it’s not likely to help as a prevention. Several ransomware assaults are carried out by foreigners based out of the United States and it is not just problematic to identify invaders, even if they are traced, repatriating them to face accusations in the United States is a complex procedure.

In his testimony Hertzberg stated that the existing laws include ransomware viruses, nevertheless, the increase in ransomware assaults deserved a modification to the punitive system.

Steve Giles, Chief Information Officer at Hollywood Presbyterian Medical Center gave a verification at the Public Safety Commission inquiry and provided more information on the Hollywood Presbyterian Medical Center ransomware assault in February. The assault was among a number faced by healthcare businesses and organizations in the last 2 months, even though other healthcare companies claimed they didn’t concede to the attackers’ pressures. HPMC had no choice except to pay the 40 Bitcoin – $17,000 – deal to get security keys to open the ransomware-encrypted records.

Giles clarified that on February 5, 2016, ransomware had shut down all systems of the medical center. He said, “Every single system inside the medical center got unreachable. This created an alarm to some extent within the physicians and nursing staff.” Later, the medical center heard 2 payment demands totaling 40 Bitcoin, which was supplemented by a warning that payment needed to be made within 5 days or else the systems and files would be locked permanently.

Staff at the hospital had no Bitcoin account, money was withdrawn and the funds transferred into the undetectable Bitcoin currency. After receiving the payment the attackers supplied the security keys to open the encryption. Hollywood Presbyterian Medical Center received 900 separate encryption keys – one key for each device that had been put into code. The procedure of getting rid of the infection took some time to finish, with staff needed to unlock each device and server separately.